about NLANR

> I used the trace file from NLANR to test Bro. But Bro does nothing


> report
> bad checksum.

That's because those traces don't have any packet contents.

But the checksum function seems do not check the checksum of contents, just the packet head.

> What should I do , to make trace file available to Bro?

You should first consider whether it will be useful to analyze them with
Bro, given a lack of contents.

I see the stepping.bro is using the ON/OFF algorithm, when report "time".
I have a novel way to detect connection pair! And I want to compare my algorithm with the ON/OFF. :slight_smile:

If so, then "redef ignore_checksums = T" will turn off the checksum tests.

Have nice day!
-- cloud

the nlanr traces anonymize the ip addresses but do not update the
ip header checksum to reflect that change, so the checksum check will
fail in general.

-- david moore